Updates requested in the review.

marek-trtik · marek-trtik · commit f81878c80215 · 2018-08-22T11:42:27.000+01:00
Added a test case with no XXE issue in it.
diff --git a/regression/end_to_end/xxe02/src/Main.java b/regression/end_to_end/xxe02/src/Main.java
@@ -9,12 +9,23 @@ public class Main {
     private static String make_tainted(String s) {
         return s;
     }
-    
-    public static void main(String[] args) {
-        if (args.length < 1)
-            return;
 
-        String xml_from_attacker = make_tainted(args[0]);
+    public static void no_xxe_issue(String input) {
+        String xml_from_attacker = make_tainted(input);
+
+        try {
+            JAXBContext jc = JAXBContext.newInstance("xxe02.MyClass");
+            XMLInputFactory xif = XMLInputFactory.newFactory();
+            xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml_from_attacker));
+            Unmarshaller unmarshaller = jc.createUnmarshaller();
+            MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+        } catch (Exception e) {
+        }
+    }
+
+    public static void xxe_issue(String input) {
+        String xml_from_attacker = make_tainted(input);
 
         try {
             JAXBContext jc = JAXBContext.newInstance("xxe02.MyClass");
@@ -26,5 +37,15 @@ public static void main(String[] args) {
         } catch (Exception e) {
         }
     }
+
+    public static void main(String[] args) {
+        if (args.length < 1)
+            return;
+
+        String xml_from_attacker = make_tainted(args[0]);
+
+        no_xxe_issue(xml_from_attacker);
+        xxe_issue(xml_from_attacker);
+    }
 }
 
diff --git a/regression/end_to_end/xxe02/test_xxe02.py b/regression/end_to_end/xxe02/test_xxe02.py
@@ -1,25 +1,39 @@
 import fasteners
 import os
 import subprocess
-# import pytest
+import pytest
 
 from regression.end_to_end.driver import run_security_analyser_pipeline
 import regression.utils as utils
 
 
-# @pytest.mark.xfail(strict=True)
+@pytest.mark.xfail(strict=True)
 @fasteners.interprocess_locked(os.path.join(os.path.dirname(__file__), ".build_lock"))
-def test_xxe02(load_strategy):
+def test_xxe02_no_xxe_issue(load_strategy):
     with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
         subprocess.call(["ant"])
     with run_security_analyser_pipeline(
             "build",
             "rules.json",
             os.path.realpath(os.path.dirname(__file__)),
-            "xxe02.Main.main",
+            "xxe02.Main.no_xxe_issue",
+            load_strategy,
+            extra_args=["--use-xxe-models-library"]) as traces:
+        assert traces.count_traces() == 0
+
+
+@fasteners.interprocess_locked(os.path.join(os.path.dirname(__file__), ".build_lock"))
+def test_xxe02_xxe_issue(load_strategy):
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call(["ant"])
+    with run_security_analyser_pipeline(
+            "build",
+            "rules.json",
+            os.path.realpath(os.path.dirname(__file__)),
+            "xxe02.Main.xxe_issue",
             load_strategy,
             extra_args=["--use-xxe-models-library"]) as traces:
         assert traces.count_traces() == 1
         assert traces.trace_exists(
-            "java::xxe02.Main.main:([Ljava/lang/String;)V", 25)
+            "java::xxe02.Main.xxe_issue:(Ljava/lang/String;)V", 36)
 
